search

munki / munkiwebadmin

Web app to manage a Munki repo and monitor Munki clients
Other
92 stars 16 forks source link

[CLOSED] Add Leopard compatibility to client postflight script #5

Closed natewalck closed 10 years ago

natewalck commented 10 years ago

Issue by natewalck Friday Sep 19, 2014 at 07:06 GMT Originally opened as https://github.com/munki/munki/issues/210

From brian.e....@gmail.com on November 09, 2012 18:05:59

postflight on a Leopard client fails due to a lack of the sha256 digest option in openssl.

Since we are still deploying a pile of old Leopard machines in our school division, i added the following lines to postflight.

SW_VERS=$(sw_vers |grep ProductVersion |awk {'print $2'}) if [[ "$SW_VERS" < "10.6" ]]; then HASH_METHOD="sha1" else HASH_METHOD="sha256" if

and changed line 43 to: INVENTORY_CHECKSUM=$(cat /Library/Managed\ Installs/ApplicationInventory.plist | openssl dgst -$HASH_METHOD)

If anyone has any other more elegant ideas, I'm all for it.

Original issue: http://code.google.com/p/munki/issues/detail?id=210

natewalck commented 10 years ago

Comment by natewalck Friday Sep 19, 2014 at 07:06 GMT

From gregnea...@mac.com on November 10, 2012 09:09:14

Munki itself does not ship with a postflight script. I am assuming you are referring to the postflight that ships with MunkiWebAdmin .

This change prevents the postflight script from failing on a Leopard client, but isn't an ideal fix. The locally-generated SHA1 checksum will never match the one on the server (which will still be a SHA256 checksum) so the inventory will be submitted on every run.

A better fix would be to find another way to generate a sha256 checksum on Leopard. Python 2.5 is available on Leopard, and contains hashlib, which supports sha256 hashes; so it should be possible to make a Python script to replace the functionality of openssl dgst sha256, or better, perhaps, to just rewrite the postflight entirely in Python.

Any takers?

natewalck commented 10 years ago

Comment by natewalck Friday Sep 19, 2014 at 07:06 GMT

From brian.e....@gmail.com on November 13, 2012 08:28:52

While I like the idea of rewriting the MWA postflight script in python, but I'm afraid my abilities aren't up to it yet.

So here's what I put together to replace the openssl dgst -sha256 function.

created a new python script:scripts/hash.py with the following

!/usr/bin/env python

import subprocess import hashlib p = subprocess.Popen(["cat", "/Library/Managed Installs/ApplicationInventory.plist"], stdout=subprocess.PIPE) out, err = p.communicate() print hashlib.sha256(out).hexdigest()

then changed line 43 in scripts/postflight to: INVENTORY_CHECKSUM=$(python /usr/local/munki/hash.py)

Tested on Leopard and Snow Leopard so far, and I learned a bit of Python now. That said, any one see anything glaringly wrong?

natewalck commented 10 years ago

Comment by natewalck Friday Sep 19, 2014 at 07:06 GMT

From gregnea...@mac.com on February 12, 2013 20:33:24

Brian: we could inline this right into the shell script:

python -c 'import hashlib; f = open("/Library/Managed Installs/ApplicationInventory.plist").read(); print hashlib.sha256(f).hexdigest()'

This would eliminate the need for the hash.py script.

natewalck commented 10 years ago

Comment by natewalck Friday Sep 19, 2014 at 07:06 GMT

From gregnea...@mac.com on February 12, 2013 20:48:09

More specifically:

INVENTORY_CHECKSUM=/usr/bin/python -c 'import hashlib; f = open("/Library/Managed Installs/ApplicationInventory.plist").read(); print hashlib.sha256(f).hexdigest()'

This change has been committed to the Git repo.

Status: Fixed